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t*H, Abstract. We describe a deterministic algorithm for finding a generating 

■^r • element of the multiplicative group of the finite field ¥pn where p is a prime. 

In time polynomial in p and n, the algorithm either outputs an element that is 
provably a generator or declares that it has failed in finding one. The algorithm 
^^H , relies on a relation generation technique in Joux's heuristically L{l/4)-method 

for discrete logarithm computation. Based on a heuristic assumption, the 
algorithm does succeed in finding a generator. For the special case when the 
order of pin (Z/nZ)'^ is small (that is (log (n))*-^'^'), we present a modification 
with greater guarantee of success while making weaker heuristic assumptions. 

Y^'. 1. Introduction 

Let p be a prime and n a positive integer. The multiplicative group Fi, of the fi- 

^S) I nite field ¥pr^ is cyclic and has (p{p'^ — 1) generators (also called primitive elements), 

K*" ' where if is the Euler's totient function. Since (/'(p" — 1) = ^( iog(iog(p"~i)) ) P^ - ^ 

f~^ ■ large fraction of elements of Fp„ are generators. In spite of their abundance, finding 

^SJ I one efficiently remains an important open problem. The difficulty lies in testing if 

a given element is a generator and all known algorithms for testing either factor 
■T-H I p" — 1 or solve an instance of the discrete logarithm problem in Fp„ , both of which 

f^ ■ are difhcult. 

cn 

Even if the question is relaxed and an element of large order is sought, approaches 
that work in general for every p and n are rare. Gao presents an algorithm 
l^ . that produces an element of order exp(r2(logn)^/log(log(n))). Gao's algorithm is 

'Oj ' efhcient conditioned on a conjecture which bears resemblance to our heuristic 12.11 

C^ . Voloch [53] presents an approach suited to small p that finds an element of order 

exp(f2(y^)). Notably, no previous algorithms to compute an element of order ex- 
ponential in n were known, even if allowed to make heuristic assumptions. 

There are other constructions that provably find an element of large order, but they 
only apply to very special {p,n) pairs [25] [I] [6] [5] [3] [18] [19] . For certain {p,n) pairs, 
von zur Gathen and Shparlinski [25] introduced the idea of constructing elements 
of high order using Gauss periods. Extensions and improvements on their results 
appear in [1] [3] [18] [19] . When n — ^—^ for some c > 1, Cheng, Gao and Wan [5] 
describe a deterministic algorithm that finds an element of order exp(rj(y^)) in 
time polynomial in p'^. Voloch [24] and Chang [4] present constructions based on 
elements appearing as coordinates of points on certain curves. 
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An alternate relaxation of the question is to find small sets that contain a gen- 
erator. Davenport ^ proved that when p is large enough compared to n and 
Fpn = ¥p[9], the set ¥p + 9 contains a generator of ¥p,^. Shoup [20j extended this 
result to prove the existence of a subset A C ¥pr^ of size polynomial in p and n 
that contains a generator. Further, the set contains elements of degree bounded by 
0{logp(n)) when represented as polynomials in 6. Shparlinski in [21] gave a simpler 
more efficient construction and in [22 further reduced the size of the subset A. The 
question remains on how to identify a generator given a small set that contains one. 

In recent breakthroughs, Gologlu, Granger, McGuire, Zumbragel ^0\ and Joux [14] 
independently devised algorithms that assuming certain widely believed heuristics 
compute discrete logarithms in small characteristic finite fields faster than pre- 
viously known. The authors of lOJ demonstrated their algorithm by computing 
discrete logarithms in F21971 which at the time of announcement was a record llj. 
Joux's algorithm is the first to compute discrete logarithms in heuristic L(l/4, o(l)) 
time, where L{£,c) is defined as exp((c + o(l))(log(p")^)(loglog(p"))^^''). All pre- 
vious algorithms required i(l/3, o(l)) time and this speed up allowed Joux ; T5] to 
compute discrete logarithms in F24080 . Gologlu, Granger, McGuire and Zumbragel 
[l2[ then extended the record to F26120 . 

A remarkable feature shared by the algorithms is that they both consider a small 
set as the factor base, one that is of size polynomial in the extension degree. Fur- 
ther, if the extensions they consider are obtained by adjoining a root C, then the 
factor base contains the elements that can be represented as linear polynomials in 
C. Assuming their relation generation algorithms succeed, discrete logarithms of 
the factor base elements can be determined up to a common constant multiple. 

We propose to use the factor base and relation generation technique in Joux's 
paper [14] to efficiently find generators in Fpn of small characteristic. Whereas 
the algorithm for discrete logarithm computation assumes a given generator of the 
entire group, our interest is to find such a generator. Our observation however is 
that if the collected relations among the elements of the factor base are found to 
determine a cyclic group, then a generator of the cyclic group can also be con- 
structed (see 12. 4[) . Thus the factor base does not necessarily have to contain a 
generator. It suffices if the factor base generates the whole multiplicative group, 
and this is indeed the case as we observe that a result of F.R.K Chung [7] nicely 
applies to our situation where the finite field can be considered as an extension over 
a large enough base field. Thus our algorithm, in time polynomial in p and n, either 
certifiably finds a generator or indicates that it has failed in doing so. Moreover 
assuming a slightly weaker heuristic assumption than what is implicitly assumed in 
Joux's method, our algorithm finds a generator in time polynomial in p and n (see 
Theorem 2.4). In addition to the heuristic reasoning provided in this paper, the 
success of Joux's method in breaking the record of discrete logarithm computation 
can be taken as a strong evidence in support of the heuristic assumption. 

For instances where p is of small order in (Z/nZ) ^ , we present a modified al- 
gorithm that is simpler to state and relies on fewer heuristic assumptions. 
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In terms of organization, section [2 . 1 1 discusses the representation and preprocessing 
steps and leads to 12.21 where a search procedure for the special representation of 
finite fields required by the relation generation algorithm is described. Section 12.31 
is on picking a small subset that generates multiplicative group followed by sections 
12.41 and 12.51 that describes the relation generation procedure culminating in an al- 
gorithm algorithm for computing a generator. The final section deals with special 
case when p is of small order in (Z/nZ) ^ . 

2. Finding Primitive Elements 

2.1. Representation of the Finite Fields. As an initial step, Fp^ is considered 
as being embedded in Fq2n , where q is chosen such that n < q. In particular, we 
set q :— p™, where m := [logp(ri,)] . 

The field F^2n is constructed as Fg2 [C,] , where C is a root of an irreducible poly- 
nomial g{x) E ¥q2 [x] of degree n that is of a special form (see section [O]) . 

The algorithm then proceeds by finding an element 7 such that (7) = ¥q2 [C] . As 
a consequence, S :— 7*^*^ -i)/(p -1) has order p" — 1 generates the multiplicative 
group of ¥p[S] ^ Fp... 

Informally, an explicit representation of Fpn is as an Fp vector space with a ba- 
sis that allows efficient multiplication. For instance, regarding Fpn as Fp[/i] where 
/z is a root of a known irreducible degree n polynomial is an explicit representation. 
Due to Lenstra [16j[Thm 1.2], an isomorphism between two explicit representations 
of a field of size p" can be computed deterministically in time polynomial in n and 
log(p). Thus a generator for any explicit representation of Fpn can be found as the 
image of 6 under an isomorphism. 

2.2. Searching for an Irreducible polynomial of a Special Form. We seek 
polynomials hg, hi € F^2[a:] of low degree such that the factorization of hi{x)x'^ — 
ho{x) over Fq2[x] has an irreducible factor of degree n. Let g{x) denote one such 
irreducible factor of degree n. The field extension ¥g2r,/¥q2 is constructed as ¥^2 [Q 
where ^ is a root of g{x). The motivation behind choosing g in this manner is 
that the identity /ii(C)C'^ ~ ^o(C) = would later allow us to replace C' with an 
expression consisting of the low degree polynomials /io(C) ^^'^ ^i(C)- 

As an example, when n ^ q—l, setting hi{x) — 1 and ho{x) = Xx where (A) = F^, 
yields hi{x)x'^ ~ ho{x) — x{x'^~^ — X), where {x"^^^ —A) is irreducible of degree q—l- 
Consequently, for the special case when ordnip), the order of p modulo n is small 
(say (logp n)^^^>), in the initial step, we can set m := ordn{p), q :— p™ and embed 
Fpn in to F„2(g-i) and skip the search for ho and hi. 

For r > n, let Nq(r, n) denote the number of polynomials over ¥^2 of degree r > n 
that have an irreducible factor of degree n. As a first approximation, Nq{r,n) is 
the product of the number of ways of choosing an irreducible polynomial of de- 
gree n and the number of ways of choosing a polynomial of degree r — n. Since 
roughly a fraction of - of all polynomials of degree n are irreducible, the probability 
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Pq{r,n) := '' J*^'" that a random polynomial of degree r has an irreducible factor 
of degree n is about — . The following precise bound on Pq (r, n) is proven in [S] 

where /„ denotes the number of irreducible polynomials over ¥^2 of degree n. Fur- 
ther, -^ tends to i as n tends to infinity. 

If we were to assume that a random polynomial of the form hi{x)x'^ — hQ{x), where 
ho and hi are of degree at most d has an irreducible factor of degree n with proba- 
bility Pq{q + d,n), then choosing d — Q{\ogq2{n)) = 9(1) is sufficient to ensure the 
existence of the ho and hi that we seek and leads to the following heuristic. 

Heuristic Assumption 2.1. There exists a positive integer d such that for all 
prime powers q and for all positive integers n < q, there exists ho, hi G ¥q2[x] of 
degree hounded by d such that the factorization of hi(x)x'' — ho{x) over ¥q2[x] has 
an irreducible factor of degree n. 

Search for ho{x),hi{x) and g{x): Enumerate candidates for ho, hi G Fq2[x] 
with each of their degrees bounded by d. For each candidate pair (ho, hi), fac- 
tor hi{x)x'^ — ho{x) and if it has an irreducible factor of degree n, output ho, hi 
and the factor of degree n and stop. If no such candidates are found, declare failure. 

The search algorithm terminates after considering at most q^"^ = q^^^'' candidate 
pairs. Factoring each candidate hi{x)x'' — hoix) takes time polynomial in the de- 
gree q-\- d ^. Thus a ho, hi and g of the desired form can be computed in q'-"^^^ 
time and F^" can be constructed as '¥q2[Q where C is a root of g{x). 

2.3. Small Generating Set. We next choose a small subset S C F^2[C] that 
generates F^2„- F.R.K Chung proved that for all prime powers s, for all positive 
integers r such that (r — 1)^ < s, for all fi such that F^r = Vs[n\, the set Fs + ^ 
generates F^r [3 Thm. 8]L26l Ques 1.1]. Since n < q, setting S := ¥q2 + ( ensures 
that the subgroup generated by S, (S) — ¥\„ . 

2.4. The Relation Lattice and Primitive Elements. Given that (5) = F^2n, 
the next step is to determine the relations satisfied by the elements in S so that we 
can determine ¥q2n as the free abelian group Z'^' modulo the relations. 

For a technical reason, S is first extended to the set F := /ii(C) U {A} U S, where 
(A) = F^2 ■ An identity in ¥q2n of the form JJa^p P'^^ — 1 for integers e^ defines 
a relation vector {e/3,/3 £ F) indexed by elements in F. Let F denote the |F|- 
dimensional Z-lattice of all relation vectors. The lattice F determines the subgroup 
generated by F as (F) ^ Z'-^l/F. Since (F) = ¥^,^, ¥^^„ ^ Z^^^/T. 

The relation search step attempts to determine the lattice F by collecting a set 
of N relation vectors. Let R be the iV by \F\ matrix consisting of the relation vec- 
tors are rows and F/j the Z-lattice generated by the rows of R. The Smith normal 
form of R gives the decomposition of Zl^'/F/j into its invariant factors 

Z'-^l/ri? = (e(l)) ® (e(2))© . ..®{e{r))®Efree ^ Z/diZeZ/dzZeZ/d^ZeZl^l^'^ 
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where r is the Z-rank of i?, Ejree is a free Z-niodule of rank |-F| — r and for I < i < r, 
e{i) e Z'^l denotes a relation vector and di the order of e{i) in Z'^'/Tji and for 
1 < i < r, di \ di^i. Let tt^ denote IlfleF '^'^^''''^ ■ 

If r = |F|, then Z'^l/F/f is finite and in addition if ni<i<r "^^ = 9^" ^ 1' then 
we can deduce that Tji — T. Since F^2n — Z'^'/F is cychc, if r = |F| and 
ni<i<r '^i = g^" — 1, we can conclude that for l<i<r, di = l and tt^ gen- 
erates F^2„ • 

In general, Tn might only be a sub lattice of F. From the natural surjection 

Zl^l/Ffl^Zl^l/F = F^^,„ 

it follows that if Z'-'^'/Ffl is cyclic, then the of image tt^ which is a generator of 
^'^'/^i?: under the surjection generates Z'^'/F. 

The lemma implies that all we need to do is test if Z'^l/F^j is a finite cyclic group 
and if so output tt^. It does not matter if the order of Zl^l/F^; is a multiple of 
q2n _ 1 Tq check if Z'^l is cyclic, it suffices to check if r = |F| and for 1 < i < r if 

d^^l. 

2.5. Joux's Relation Generation Algorithm. The relation generation phase 
begins with the following identity over ¥q2 [x] 



n 



X ^ a = x^ — X. 

ae¥„ 



For (a, b, c, d) G ¥\ such that ad — be =^ 0, the substitution x h^ cC+d yields 

-pr (a - ac)C + {b- ad) _ « + d)(aC + by - («( + &)« + d-Y 
/J^ [cC + dY - (cC + d)«+i 

Linearity of raising to the g*'' power implies 

(cc + rf) n ((« - "^)^ + (^ " "^)) = (^^ + '^)("''^' + ^') - ^< + ^)(^''^'' + ^'')- 

qGF, 

By substituting C'' = ^ /}\ , the right hand side becomes 

(cQ-? - ac'?)C/^o(C) + (rfa*? - bc'?)/^o(C) + [cbt -~ ad'i)Ch^{C) + (^6" - bdi)hi{C) 

MO ■ 

Consider the numerator of the above expression as a polynomial n{x) G Fq2[a;] 
evaluated at (. The degree of n{x) is bounded by d+l. If n(x) factors in to linear 
factors over Fq2 [x] , then we get the following relation in (F) 

(cC + d)hiiC) Y[ ((a - acX + {b - ad)) = n(C). 

aeVg 

The above expression can be written as a product of an element in F^2 times hi {() 
times a fraction of products of nionic linear polynomials in (^ over Fq2 being equal to 
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1. By expressing the element in ¥\ as a power of A, we indeed get a relation in (F). 

The reason for choosing to work over F^2 instead of ¥q is that for every choice 
of a, b,c,d £ ¥q, the relation it yields becomes C — C = DagF (C — «)• Thus, we 
have to work over an extension of F^ where the q*'' power map would be non trivial 
and ¥g2 is the smallest such extension. 

For an e £ F^,, the substitutions x i-> °; , , and x i— > °''^^,f are identical and 
will lead to the same relation. Thus, the possible choices for a,b,c,d £ ¥q2, that 
could lead to distinct relations can at best be identified with elements in PGL{2, q^). 

Further, the relations corresponding to an element in PGL{2,q'^) and its product 
with an element in PGL{2,q) are off by the relation corresponding to the identity 

c'-c = n„eF,(c-a). 

Thus the number of possible choices for a, b, c, d can be identified with elements 
in the group PGL{2, q^)/PGL{2, q) which has cardinality q{q^ + 1) = &{q^)^ 

Relation Generation: For every (a, 6, c, d) £ F^2 such that ad— be ^ 0, compute 
the numerator n(x) and i{ it factors in to linear factors over¥q2[x\, add the relation 
as a row to the relation matrix R. 

Heuristic Assumption 2.2. The generated relation lattice Fij is large enough to 
ensure that Z'^'/Tji is a finite cyclic group. 

Note that for every f3 £ F, we could add the relation /3^ ^^ = 1 to ensure that 
Zl^l/rfl, is finite. 

The probability that a random polynomial of degree at most d + 1 factors into 
linear factors is roughly (j_\), [T7] . If the numerator polynomials n{x) that appear 
in the relation generation phase behave as random polynomials with respect to 
their probability of splitting in to linear polynomials, then the expected number of 
trials required to get a relation is {d + 1)1. Since d is a constant independent of q 
and n, the expected number of rows of i? is a constant fraction of Q{q^). 

Since the dimension of the lattice \F\ is at most q^ + 2 and F/j is the lattice 
generated by O(g^) points, it is overwhelmingly likely that F/j = F, which makes 
the weaker claim of heuristic 12.21 even more plausible. 



The relation generation step can be performed in q^^^' time since the number 
of choices for (a, 6, c, d) is at most q'^^^' and factoring the numerator polynomial is 
q^^^") as it is of constant degree. We have to express the constant F^2 factor in the 
relation as a power of A, but that can be accomplished by solving the discrete loga- 
rithm in ¥^2 exhaustively in q^ time. All that remains is to determine if Z'^l/F/j is 
a finite cyclic group by computing the Smith normal form of R. The Smith normal 
form computation can be performed in q'^^^^ time since R has at most Q{q^) rows, 
at most q^ + 2 columns and each entry is an integer bounded by g^. 



We would like to thank Antoine Joux for pointing out the need to mod out by PGL(2, q). 
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Testing Phase: Compute the Smith norm,al form, of R and if Z'^' /Tr is a fi- 
nite cyclic group, output TTr- Else, declare failure. 

To summarize, our algorithm either certifiably finds a generator or indicates that 
it has failed in doing so. If the heuristics 12.11 and 12.21 are true, then the algorithm 
finds a generator in time polynomial in q which is a polynomial in p and n. 

2.6. Reducing the Problem of Finding Generators to a Conjecture. Since 
the generated relation lattice T r depends on the choice of the polynomials h^, hi 
and g, heuristic 12.21 implicitly claims that for every choice of h^, hi and g, the 
corresponding Z^^^ /Tr is a finite cyclic group. This assumption can be weakened 
significantly by using the following modified testing phase. 

Modified Testing Phase: Compute the Smith normal form of R and if l)^^ /T r 
is a finite cyclic group, output tt^ . Else, continue with the search for a new choice 
of ho and hi . 

With the modified testing phase, our algorithm succeeds if there exists a /iq and 
hi of constant degree that result in a T r that defines a finite cyclic group and we 
have the following theorem. 

Theorem 2.3. // there exists a positive integer d such that for all prime powers q 
and for all positive integers n < q, there exists h^^hi e ¥^2 [x] of degree bounded by d 
such that the factorization of hi{x)x'^ — ho{x) over ¥g2[x] has an irreducible factor 
g{x) of degree n, and the relation lattice Tr corresponding to ho,hi,g defines a 
finite cyclic group l}^^ /Tr, then a generator for ¥pn can he found deterministically 
in time polynomial in p and n. 

2.7. The special case when p is of small order in (Z/nZ)^. For the special 
case when ordn{p), the order oi p modulo n is (log„ n)^^', we present a modifica- 
tion to the algorithm that results in a procedure that has a greater guarantee of 
success while assuming less. 

In the initial step, set m :— ordn{p), q :~ p™ and embed ¥pn in to F 2(g-i). Set 
hi{x) = 1 and ho^x) — rjx where (77) = F^. Such an 77 can be found in 0{q) time 
by exhaustive searching. Since hi(x)x'^ — ho{x) = x{x'^~^ — ry), where (a;'^^ — ry) is 
irreducible of degree g — 1, set g{x) — x^^^ — r/. 

Since the degrees of hi and ho are at most 1, the numerator n(x) that appears 
in the relation search is of degree at most 2. 

If the numerators n(x) behave as random polynomials of degree 2 in terms of 
factorization, then they factor with probability i. Thus, we expect to get at least 
q{q^ + l)/2 relations. In fact, we can prove that we get at least q^ + q relations. 

Consider the upper triangular subgroup Gu oi PGL[2,q^)/ PGL{2,q), that is, the 
subgroup whose elements have a representative of the form 

a b 
1 
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where a e F^2, 6 e Fq2. The cardinahty of Gu is {{q^ - l)q^)/{{q - l)q) = q^ + q. 

For an element in Gjj corresponding to an a G F^2 and a 6 G Fq2, the numera- 
tor polynomial n{x) we obtain is the linear polynomial 

(a«??-a)a;+(6«-5). 

Thus, we are guaranteed at least q^ + q relations. 

Likewise, by considering the subgroup Gl of PGL{2,q^)/PGL{2,q) consisting of 
elements with a lower triangular representative, we get q'^ + q — 1 more relations. 

Thus far we have made no heuristic assumptions for this special case. The only 
assumption we make is that Zl^l/Fj^ is finite cyclic. The dimension of the relation 
lattice F is q^ + 1 and we get at least 2q^ + 2q—l distinct relations. If the relations 
that we obtain are modeled as being drawn independently at random from F, then 
with overwhelming probability F/j = F. 

As a final remark, instead of restricting the factor base F to monic linear poly- 
nomials in S, we could also include the evaluations of quadratic irreducible polyno- 
mials in ¥g2 [x] at 6, but only those that appear as factors of the n{x) during the 
relation search. Further, the first time a degree two element is encountered, it can 
be expressed in terms of a product of linear factors. If a quadratic factor reappears 
then it implies a new relation between products of linear factors. 
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